The new provider imperative — Keep patient data safe

Patients trust providers to keep their personal health information safe. The consequences of mismanaged patient information or a data security breach can be far-reaching. With data breaches on the rise, the onus is on providers to update security protocols and ensure the safety of this information.

During an Oct. 1 webinar presented by Becker's Hospital Review and sponsored by Rectangle Health, Mike Peluso, chief technology officer at Rectangle Health, discussed how data breaches occur, how to ensure the safety of patient records and the consequences of breaches for patients and providers.

The average cost of a single data breach across all industries increased 12 percent over the past five years to $3.92 million, according to IBM's 2019 Cost of a Data Breach Report. The average cost of a breach in the healthcare industry is $6.5 million — 60 percent higher than the cross-industry average.

Ninety percent of hospitals reported a data breach in 2017 and 2018 with the U.S. healthcare industry reporting a high of 365 breaches in 2018, according to a recent report published in the HIPAA Journal.

"The healthcare system is an expensive system to manage," Mr. Peluso said. "If we can get better at the compliance side … and securing patient information, we can probably reduce these costs a little and help the system along."

How data breaches occur

There's a vast amount of personal information tied to patient medical records, such as home addresses, phone numbers, insurance and social security numbers. Hackers use this information to sell for profit and to gain access to other financial systems.

"The hacker is capturing that information because inside of your practice management system or your office's servers, there's a lot of information on the patient," Mr. Peluso said. "They're using it for other types of financial gain, not necessarily stealing that patient information to understand what the patient had."

Although hackers seek out medical records, most data breaches are attributed to human error such as misplacing a work laptop, email viruses or the improper disposal of records, according to Mr. Peluso.

"There's a lot of hype around IT and technology but it's actually quite a bit of human error … that can be prevented by just training employees on a better way to handle a lot of those items." Mr. Peluso said.

This challenge can be mitigated by integrating security measures into EHR systems, developing proper protocols for the disposal of patient health information, and conducting regular staff training.

"It should be a day to day subject that needs to be addressed. Passwords need to be changed; updates need to happen," Mr. Peluso said. "When we terminate an employee … we need to terminate that employee's access to various systems as well."

Consequences of data breaches

The HIPAA Privacy, Security and Breach Notification Rules and the Health Information Technology for Economic and Clinical Health Act were enforced to help tackle the rising number of data breaches.

In 2004, the HIPAA legislation established rules to ensure the confidentiality, integrity and availability of electronic patient health information, while the HITECH Act enforced more stringent legal liability on providers in 2009.

"It's not just a law. It's good practice to secure patient data and understand that it's a constant practice," Mr. Peluso said. "It needs to be certified and continually re-certified, staff need to be trained and continually re-trained, and systems secured and then continually re-secured."

Smaller organizations are at a greater risk of being targeted by hackers than large health systems as their security protocols may not be as strong. Data breaches can be especially harmful to these organizations' reputation and finances.

"The provider is trusted with patient data and … a patient's assumption is that the data is going to be protected," Mr. Peluso said. "It's not just a data loss. You're losing a patient. If we lose patient confidence, the [risk] of losing the patient increases quite a bit."

Reputational risks include the loss of patients, strategic partners and staff. Financial consequences can include costs of remediation, communication, deductibles and increased insurance, with added penalties and fines enforced by regulatory bodies.

Conclusion

As digital technology evolves, the risk of healthcare data breaches and human error increases. The consequences of data breaches for both patients and providers are significant. By ensuring EHR systems are updated, security measures are in place and staff are continually trained, providers can help guard against data breaches and better secure patient data.